Insights / Employment Advisor

EEOC Issues Proposed Wellness Regulations: Time for Another Check-Up

By Dipa N. Sudra, Lawton Penn, and Sarah L. Bhagwandin

04.20.15

The Equal Employment Opportunity Commission (EEOC) has finally issued proposed regulations under the Americans with Disabilities Act (ADA) regarding wellness programs. The proposed regulations amend existing regulations and provide guidance on the extent to which employers may use incentives to encourage employee participation in wellness programs that include disability-related inquiries and/or medical examinations. The proposed regulations are intended to work in tandem with final regulations under the Health Insurance Portability and Accountability Act (HIPAA) and the Affordable Care Act (ACA), but there are significant differences.

This advisory discusses the proposed regulations’ content, how they interact with the final HIPAA/ACA regulations, and what next-steps employers should consider. While the regulations are not yet final, and are now subject to a 60-day comment period, they are likely to be implemented largely as drafted and it is not too early to start preparing.

Background

Many different laws govern wellness programs, including HIPAA, ACA, Civil Rights Act, Equal Pay Act, Age Discrimination in Employment Act, Genetic Information Nondiscrimination Act and, of course, the ADA. In recent years employers have revised their wellness programs to comply with final regulations under HIPAA and the ACA (see our previous advisory). These rules prohibit discrimination in premiums, benefits or eligibility based on a health factor, with exceptions for premium discounts, rebates or modifications to otherwise applicable cost sharing (e.g. copayments, deductibles or coinsurance) for wellness programs. In contrast, the ADA prohibits discrimination against individuals with disabilities and prohibits employers from making disability-related inquiries or requiring medical examinations of employees, except in limited circumstances.

Relevant to wellness programs, medical examinations and inquiries must be “voluntary” and there cannot be a “penalty” for not participating. A key open question was whether withholding a premium adjustment or reward available under a wellness plan, for an employee who elected to opt out, was akin to a penalty and therefore the program was not “voluntary.” The EEOC’s position under the ADA on wellness programs has been unclear for many years, culminating in a burst of recent enforcement activity, and lawsuits being filed this past year, that left employers wondering whether their HIPAA/ACA compliant wellness programs are also ADA compliant.

How Do the Proposed Regulations and the HIPAA/ACA Regulations Fit Together?

The EEOC stated that compliance with the HIPAA/ACA regulations is not determinative of compliance with the ADA, but acknowledged its responsibility to interpret the ADA in a manner that reflects both the ADA’s goal of limiting employer access to medical information and the HIPAA/ACA provisions promoting wellness programs. In addition, the EEOC rejected the “bona fide benefit plan” ADA safe harbor as the proper basis for finding wellness incentives permissible and states that wellness incentives should be measured under the “voluntary” ADA standard.

What does that mean and where does it leave employers? The short answer is that employers now have two sets of rules for compliance that work together (sort of). The table below describes the proposed regulations’ requirements, and how the new rules fit into the HIPAA/ACA scheme. Employers should assess what action they need to take by using the checklists in the table below, and should contact their DWT employment and benefits attorneys for further information.

ADA Proposed Regulations	HIPAA/ACA Final Regulations
Program must promote health and prevent disease An employee health program, including any disability-related inquiries or medical examinations, must be reasonably designed to promote health or prevent disease. To meet this standard, the program must have a reasonable chance of improving the health of, or preventing disease in, participating employees, and must not be overly burdensome, a subterfuge for violating the ADA or other laws prohibiting employment discrimination, or highly suspect in the method chosen to promote health or prevent disease. The following are acceptable components: Health risk assessment (HRA) and/or biometric screening of employees for purpose of alerting employees to health risks. Use of aggregate information from employee HRAs by an employer to design and offer health programs aimed at specific conditions that are prevalent in the workplace (e.g. diabetes management programs). The following are NOT acceptable components: Collecting medical information on an HRA without providing employees with follow-up information or advice (e.g. feedback about risk factors, or using aggregate information to design programs or treat specific conditions). Imposing, as a condition to a reward, an overly burdensome amount of time for participation. Requiring unreasonably intrusive procedures. Placing significant costs related to medical exams on employees. Program exists mainly to shift costs from employer to employees based on health.	Similar, but double-check your plan This is very similar to the requirement for health contingent programs to be reasonably designed to promote health or prevent disease. These components would also be acceptable under the HIPAA/ACA regulations. The HIPAA/ACA regulations do not specifically deal with all of these examples in the proposed regulations. For example, there is no requirement to provide follow-up information or advice. In addition, although the HIPAA/ACA regulations address time burdens and costs in the context of reasonable alternative standards, they do not explicitly cover these issues for the normal standards to obtain a reward. ¨ Check that your wellness program and practices do not include any of the components listed as not acceptable.
Program must be voluntary to comply with ADA An employee health program including disability related inquiries or medical examinations (including as part of an HRA) must be voluntary. This means that employers may not: Require employees to participate. Deny coverage under any of its group health plans or benefits packages within a group health plan for non-participation, or limit the extent of that coverage. Take any adverse employment action or retaliate against, interfere with, coerce, intimidate or threaten employees (within the meaning of the ADA). In addition, where the wellness program is part of a group health plan, the employer must provide an understandable notice that clearly explains the type of medical information that will be obtained and the specific purposes for which the information will be used, restrictions on disclosure of the employee’s medical information, the employer representatives or other parties with whom the information will be shared, and the methods that the employer will use to ensure that medical information is not improperly disclosed (including whether it complies with HIPAA).	Key difference! HIPAA/ACA regulations require a notice for health contingent programs, however, note the following: ¨ The ADA notice is required for both participatory and health contingent programs. ¨ The ADA notice requires more information than the HIPAA/ACA regulations.
Limited incentives are permissible for wellness programs that are part of a group health plan that includes disability related inquiries or medical exams. Incentives are permitted up to a maximum of 30% of the total cost of employee-only coverage. Incentive can be a reward or penalty, financial or in-kind (e.g. time-off awards, prizes or other items of value). 30% maximum applies to both participatory and health contingent programs. The EEOC wants to ensure that the incentive limits are not so high as to make participation in the program involuntary. Example: Plan’s total annual premium for employee-only coverage is $5,000 (including employer and employee contributions). Plan provides: (i) $250 reward to employees who complete an HRA; and (ii) $1,500 reward for participating in a health contingent wellness program to promote cardiovascular health. Total reward is $1,750. This violates the ADA because it exceeds 30% of the total cost of coverage. Reward must be capped at $1,500 under the ADA. In contrast, wellness programs that do not require disability-related inquiries or medical examinations to earn an incentive are not subject to the ADA’s incentive limits. This includes, for example, attending nutrition, weight loss or smoking cessation classes.	Key differences! Under the HIPAA/ACA regulations, the 30% maximum reward applies only to health contingent programs, and participatory programs do not have to be included. ¨ Employers should review the rewards allocated to different components of their programs to ensure compliance. ¨ Employers who are using the total cost of family coverage where spouses participate should recalculate the maximum permissible reward based on the cost of employee-only coverage.
Incentive rules for tobacco related programs A smoking cessation program that merely asks employees whether or not they use tobacco, or whether they ceased using tobacco upon completion of the program, is not subject to the EEOC’s incentive rules. Therefore, an employer could offer incentives as high as 50% of the cost of employee coverage under the HIPAA/ACA regulations. Employer would still have to provide reasonable accommodation, where necessary. However, biometric screening or other medical exam testing for the presence of nicotine or tobacco is a medical exam so that the ADA’s financial incentive rules apply, and the incentive must be capped at 30%.	Key difference! HIPAA/ACA regulations permit incentives up to 50% of the total cost of employee coverage for programs designed to prevent or reduce tobacco use. ¨ Employers should assess whether the program incorporates a medical exam. If so then the award has to be limited to 30% under the ADA. If not, then 50% is acceptable.
Reasonable Accommodation Under the ADA, regardless of whether a wellness program includes disability related inquiries or medical examinations, reasonable accommodation must be provided, absent due hardship. For example: Employer offers a financial incentive to attend a nutrition class, regardless of the result. Employer has to provide a sign language interpreter to a deaf employee, so long as that does not create undue hardship to the employer. Employee has vision impairment. Absent undue hardship, employer has to provide written wellness materials in an alternate format, such as large print. An employer offers a reward for completing a biometric screening with a blood draw. Employee has a medical condition such that it is dangerous to do this. Employer has to provide an alternative test or certification requirement.	Key difference for participatory programs! Under the HIPAA/ACA regulations, reasonable alternative standards are required only for *health contingent* programs. In contrast, under the ADA proposed regulations, an employer has to provide reasonable accommodation for a *participatory* program even though that is not required under the HIPAA/ACA regulations. ¨ Employers should review their participatory programs and ensure that they are considering reasonable accommodation, where appropriate. Note: The EEOC acknowledges that providing a reasonable alternative standard and notice to the employee of the availability of a reasonable alternative under the HIPAA/ACA regulations as part of a health contingent program would likely satisfy the reasonable accommodation requirement.
Confidentiality Medical information or history obtained under a wellness program regarding any individual may only be provided to the employer in aggregate terms that do not disclose, or are not reasonably likely to disclose, the identity of any employee, except as necessary to administer the health plan and as otherwise permitted by the ADA. Both employers and administrators must ensure compliance with this provision. An employer should be able to comply with this rule by complying with the HIPAA Privacy Rule. Under existing regulations medical records developed in the course of providing voluntary health services to employees, including wellness programs, must be maintained in a confidential manner. While there is an exception allowing disclosure to managers and supervisors in connection with necessary work restrictions or accommodations, this would rarely, if ever, apply to medical information collected as part of a wellness program. The EEOC reminds employers that they must ensure the confidentiality of employee medical information, and that proper training of individuals who handle medical information is critical. Employers should also have clear privacy policies and procedures regarding medical information, and on-line systems should guard against unauthorized access. In addition, the EEOC provided the following guidance, which employers can use as a checklist: ¨ Individuals who handle medical information that is part of an employee health program should not be responsible for making decisions relating to employment, such as hiring, termination or discipline. ¨ Consider using a third party vendor to collect information in support of a wellness program to reduce the risk of disclosure to those making employment decisions. Employers using a third party vendor should be familiar with the vendor’s privacy policies. ¨ Employers administering their own wellness program should have adequate firewalls in place to prevent unintended disclosure, and the information must not be used to discriminate on the basis of disability in violation of the ADA. ¨ Employers should report breaches of confidentiality immediately to affected employees. ¨ Employers should make clear that individuals responsible for disclosures of confidential medical information will be disciplined. ¨ If a vendor is responsible for confidentiality breaches, consider discontinuing the relationship.	Similar, but double-check your policies. If a wellness program is part of a group health plan, the individually identifiable health information collected from or created about participants as part of the wellness program is protected health information (PHI), subject to the requirements of the HIPAA Privacy Rule. An employer can generally comply with the confidentiality requirements under the ADA that are applicable to wellness plans by complying with the HIPAA Privacy Rule. Employers should confirm the following compliance steps are in place: ¨ Employer Certification: The employer has provided an employer certification to the health plan that the employer will comply with the HIPAA Privacy Rule. ¨ Privacy Notice: Wellness program is mentioned in the HIPAA Privacy Notice. ¨ HIPAA Policies/Procedures: Wellness program is included in the health plan’s policies and procedures. ¨ Business Associate Agreements: Employer has entered into business associate contracts with the wellness provider(s). ¨ Training: Employees who administer the wellness program understand the confidentiality requirements of HIPAA and the ADA. ¨ Wellness program is properly described in the ERISA documents for the group health plan, including the SPD. ¨ HIPAA Security Rule documentation properly covers information from the wellness program.

ADA Proposed Regulations

HIPAA/ACA Final Regulations

Program must promote health and prevent disease

An employee health program, including any disability-related inquiries or medical examinations, must be reasonably designed to promote health or prevent disease. To meet this standard, the program must have a reasonable chance of improving the health of, or preventing disease in, participating employees, and must not be overly burdensome, a subterfuge for violating the ADA or other laws prohibiting employment discrimination, or highly suspect in the method chosen to promote health or prevent disease.

The following are acceptable components:

Health risk assessment (HRA) and/or biometric screening of employees for purpose of alerting employees to health risks.
Use of aggregate information from employee HRAs by an employer to design and offer health programs aimed at specific conditions that are prevalent in the workplace (e.g. diabetes management programs).

The following are NOT acceptable components:

Collecting medical information on an HRA without providing employees with follow-up information or advice (e.g. feedback about risk factors, or using aggregate information to design programs or treat specific conditions).
Imposing, as a condition to a reward, an overly burdensome amount of time for participation.
Requiring unreasonably intrusive procedures.
Placing significant costs related to medical exams on employees.
Program exists mainly to shift costs from employer to employees based on health.

Similar, but double-check your plan

This is very similar to the requirement for health contingent programs to be reasonably designed to promote health or prevent disease.

These components would also be acceptable under the HIPAA/ACA regulations.

The HIPAA/ACA regulations do not specifically deal with all of these examples in the proposed regulations. For example, there is no requirement to provide follow-up information or advice. In addition, although the HIPAA/ACA regulations address time burdens and costs in the context of reasonable alternative standards, they do not explicitly cover these issues for the normal standards to obtain a reward.

¨ Check that your wellness program and practices do not include any of the components listed as not acceptable.

Program must be voluntary to comply with ADA

An employee health program including disability related inquiries or medical examinations (including as part of an HRA) must be voluntary. This means that employers may not:

Require employees to participate.
Deny coverage under any of its group health plans or benefits packages within a group health plan for non-participation, or limit the extent of that coverage.
Take any adverse employment action or retaliate against, interfere with, coerce, intimidate or threaten employees (within the meaning of the ADA).

In addition, where the wellness program is part of a group health plan, the employer must provide an understandable notice that clearly explains the type of medical information that will be obtained and the specific purposes for which the information will be used, restrictions on disclosure of the employee’s medical information, the employer representatives or other parties with whom the information will be shared, and the methods that the employer will use to ensure that medical information is not improperly disclosed (including whether it complies with HIPAA).

Key difference! HIPAA/ACA regulations require a notice for health contingent programs, however, note the following:

¨ The ADA notice is required for both participatory and health contingent programs.

¨ The ADA notice requires more information than the HIPAA/ACA regulations.

Limited incentives are permissible for wellness programs that are part of a group health plan that includes disability related inquiries or medical exams.

Incentives are permitted up to a maximum of 30% of the total cost of employee-only coverage.
Incentive can be a reward or penalty, financial or in-kind (e.g. time-off awards, prizes or other items of value).
30% maximum applies to both participatory and health contingent programs. The EEOC wants to ensure that the incentive limits are not so high as to make participation in the program involuntary.

Example: Plan’s total annual premium for employee-only coverage is $5,000 (including employer and employee contributions). Plan provides: (i) $250 reward to employees who complete an HRA; and (ii) $1,500 reward for participating in a health contingent wellness program to promote cardiovascular health. Total reward is $1,750. This violates the ADA because it exceeds 30% of the total cost of coverage. Reward must be capped at $1,500 under the ADA.

In contrast, wellness programs that do not require disability-related inquiries or medical examinations to earn an incentive are not subject to the ADA’s incentive limits. This includes, for example, attending nutrition, weight loss or smoking cessation classes.

Key differences! Under the HIPAA/ACA regulations, the 30% maximum reward applies only to health contingent programs, and participatory programs do not have to be included.

¨ Employers should review the rewards allocated to different components of their programs to ensure compliance.

¨ Employers who are using the total cost of family coverage where spouses participate should recalculate the maximum permissible reward based on the cost of employee-only coverage.

Incentive rules for tobacco related programs

A smoking cessation program that merely asks employees whether or not they use tobacco, or whether they ceased using tobacco upon completion of the program, is not subject to the EEOC’s incentive rules. Therefore, an employer could offer incentives as high as 50% of the cost of employee coverage under the HIPAA/ACA regulations. Employer would still have to provide reasonable accommodation, where necessary.
However, biometric screening or other medical exam testing for the presence of nicotine or tobacco is a medical exam so that the ADA’s financial incentive rules apply, and the incentive must be capped at 30%.

Key difference! HIPAA/ACA regulations permit incentives up to 50% of the total cost of employee coverage for programs designed to prevent or reduce tobacco use.

¨ Employers should assess whether the program incorporates a medical exam. If so then the award has to be limited to 30% under the ADA. If not, then 50% is acceptable.

Reasonable Accommodation

Under the ADA, regardless of whether a wellness program includes disability related inquiries or medical examinations, reasonable accommodation must be provided, absent due hardship. For example:

Employer offers a financial incentive to attend a nutrition class, regardless of the result. Employer has to provide a sign language interpreter to a deaf employee, so long as that does not create undue hardship to the employer.
Employee has vision impairment. Absent undue hardship, employer has to provide written wellness materials in an alternate format, such as large print.
An employer offers a reward for completing a biometric screening with a blood draw. Employee has a medical condition such that it is dangerous to do this. Employer has to provide an alternative test or certification requirement.

Key difference for participatory programs! Under the HIPAA/ACA regulations, reasonable alternative standards are required only for health contingent programs. In contrast, under the ADA proposed regulations, an employer has to provide reasonable accommodation for a participatory program even though that is not required under the HIPAA/ACA regulations.

¨ Employers should review their participatory programs and ensure that they are considering reasonable accommodation, where appropriate.

Note: The EEOC acknowledges that providing a reasonable alternative standard and notice to the employee of the availability of a reasonable alternative under the HIPAA/ACA regulations as part of a health contingent program would likely satisfy the reasonable accommodation requirement.

Confidentiality

Medical information or history obtained under a wellness program regarding any individual may only be provided to the employer in aggregate terms that do not disclose, or are not reasonably likely to disclose, the identity of any employee, except as necessary to administer the health plan and as otherwise permitted by the ADA. Both employers and administrators must ensure compliance with this provision. An employer should be able to comply with this rule by complying with the HIPAA Privacy Rule.

Under existing regulations medical records developed in the course of providing voluntary health services to employees, including wellness programs, must be maintained in a confidential manner. While there is an exception allowing disclosure to managers and supervisors in connection with necessary work restrictions or accommodations, this would rarely, if ever, apply to medical information collected as part of a wellness program.

The EEOC reminds employers that they must ensure the confidentiality of employee medical information, and that proper training of individuals who handle medical information is critical. Employers should also have clear privacy policies and procedures regarding medical information, and on-line systems should guard against unauthorized access. In addition, the EEOC provided the following guidance, which employers can use as a checklist:

¨ Individuals who handle medical information that is part of an employee health program should not be responsible for making decisions relating to employment, such as hiring, termination or discipline.

¨ Consider using a third party vendor to collect information in support of a wellness program to reduce the risk of disclosure to those making employment decisions. Employers using a third party vendor should be familiar with the vendor’s privacy policies.

¨ Employers administering their own wellness program should have adequate firewalls in place to prevent unintended disclosure, and the information must not be used to discriminate on the basis of disability in violation of the ADA.

¨ Employers should report breaches of confidentiality immediately to affected employees.

¨ Employers should make clear that individuals responsible for disclosures of confidential medical information will be disciplined.

¨ If a vendor is responsible for confidentiality breaches, consider discontinuing the relationship.

Similar, but double-check your policies.

If a wellness program is part of a group health plan, the individually identifiable health information collected from or created about participants as part of the wellness program is protected health information (PHI), subject to the requirements of the HIPAA Privacy Rule. An employer can generally comply with the confidentiality requirements under the ADA that are applicable to wellness plans by complying with the HIPAA Privacy Rule.

Employers should confirm the following compliance steps are in place:

¨ Employer Certification: The employer has provided an employer certification to the health plan that the employer will comply with the HIPAA Privacy Rule.

¨ Privacy Notice: Wellness program is mentioned in the HIPAA Privacy Notice.

¨ HIPAA Policies/Procedures: Wellness program is included in the health plan’s policies and procedures.

¨ Business Associate Agreements: Employer has entered into business associate contracts with the wellness provider(s).

¨ Training: Employees who administer the wellness program understand the confidentiality requirements of HIPAA and the ADA.

¨ Wellness program is properly described in the ERISA documents for the group health plan, including the SPD.

¨ HIPAA Security Rule documentation properly covers information from the wellness program.

EEOC Issues Proposed Wellness Regulations: Time for Another Check-Up

Background

How Do the Proposed Regulations and the HIPAA/ACA Regulations Fit Together?

Related Insights